[vtlynch]

I think Chrome's behavior is the most sensible choice. If you are in an environment where traffic inspection is required by policy, than the browser should obey that.

If Chrome enforced pinning with local roots, then the outcome would be:

1. Those sites simply become unaccessible 2. Those networks require you to use a different browser 3. Those networks deploy a modified version of the browser which disable that behavior 4. Websites avoid using HPKP in the first place because it may cause problems

or some combination. Those outcomes seem worse than Chrome obeying the desires of the network admins.

Is there some risk that malware or other bad actors could abuse this? Sure. But Chrome's devs considered that and decided any other number of bad things could be done with the same access.

[fulafel]

I think Chrome just did it as a compromise because they are really concerned about getting market share. From an utilitarian / ethical POV browsers should clearly refuse traffic inspection. Same as Google standing their ground (and getting blocked) in China than compromise on privacy and gain market share.

[tyingq]

From my perspective, there's just no real reason for mitm. Everyone at a corp that does mitm has a computer in their pocket that bypasses it.

[spiznnx]

At many corps, personal phones are not allowed onto the corp net and are not allowed to receive/transmit/store corp data. Or you're fired.

[tyingq]

That's the bypass...It's not on the corp net. Just on the corp premises.